There are two ways to detect an attacker within your network – through network monitoring software or abnormal user behavior.  Here comes a new malware that can evade both.  Skeleton key is able to bypass Active Directory (Definition) systems that use single-factor authentication (Definition) to access webmail and Virtual Private Network (VPN) (Definition).  The malware is deployed as an “in-memory patch” and is not installed in the hard disk, which makes it very difficult to detect.

This allows the attacker to assume the identity of any user, without having to steal the user’s log in credentials or even changing the user’s password.  It will seem like normal end user activity that does not raise much suspicion.

As the attacker can pose as any user, it can for example, assume the identity of a Technical Manager, then it wouldn’t seem unusual for them to access relevant technical information.  If they pose as a Sales Director, then it wouldn’t raise a red flag if credit card data is accessed.

The reason that IDS or IPS cannot detect the Skeleton Key is that it does not create network traffic.  It would seem that the malware is invincible.  It is considered to be super stealthy.

The Skeleton Key has some flaws.  It would be deleted upon reboot of the Active Directory system, which would leave the attackers locked out when they try to sign in as an employee.  What this means is that the attackers have failed to set up an effective command and control infrastructure.  However, the attackers would already have a Remote Access Trojan installed on the target’s network, which allows them to use that malware to re-activate Skeleton Key.

Nevertheless, only systems that run off of Active Directory are affected.   Does it mean that we should not be too concern about it?  Of course not!  Anyone using Active Directory should be concerned.  If this malware infects an organization that’s widely using Active Directory, they have a lot to worry about, as their critical authentication process will be completely compromised.

For your information, the Skeleton Key was discovered last year in a global organization with its headquarters in London.  It was later dubbed the Skeleton Key, as it was able to provide almost unrestrained access to every single employee’s corporate account.  Don Smith, Technology Director at Dell SecureWorks said that in his 20 years in the security business, this is one of the most startling cases of digital espionage he has seen.

In the beginning of this article, it is mentioned that Skeleton Key is able to bypass Active Directory systems that use single-factor authentication.  A place to start to mitigate this problem is to employ two-factor authentication (Definition).

Source

Definition

2.                     Active Directory – a service that Microsoft developed for Windows domain network and is included in most Windows Server operating systems.  An AD domain controller authenticates and authorizes all users and computers in a Windows domain type network.

3.                     Single-Factor Authentication – traditional security process that requires a username and password before granting access to the user.  In this scenario the user should take additional precaution, for example, creating a strong password and ensure that no one can access it.

4.                     Virtual Private Network (VPN) – utilizes public telecommunications network, such as the internet, to conduct private data communications.  For example, using the internet to provide remote offices or individual users with secure access to an organization’s network.

5.                     Two-factor authentication (2FA) – a two-step verification process is an extra layer of security that is known as “multi-factor authentication” that requires a password, username and something that the user only has, such as a physical token (provided by some banks), or a one-time code (OTP) that is send to a user’s mobile device.